Friday, October 19, 2007

Software as a Service (SaaS) for Website Vulnerability Assessment (VA) – all the cool kids are doing it. WhiteHat Security has been the pioneer of the model for the last several years, but only very recently did industry activity demonstrate validation of the market. Huge companies are jumping in, making their moves with acquisitions, and retrofitting technology towards SaaS. Customer demand is growing extremely fast as they grow to understand webappsec’s importance. I’m hoping everyone is noticing the same great uptick in webappsec VA that we are. Anyway, all of this makes a sense because many information segments followed similar evolutionary paths:

1) Technology starts off as someone’s pet project2) Several variations work their way into first generation tools3) They mature into enterprise product offerings4) SaaS manifests as manageability, scalability, and economics become issues

This evolution occurred with the IDS, firewall, A/V, and network vulnerability assessment (VA) industries. Think of the parallels in network VA with SATAN, Nessus, eEye, ISS, Qualys, and everything in between. Today we’re witnessing it happening with website VA. The late 90’s and early 00’s saw the rise of scanners, proxies, and various tools like Whisker, Nikto, Elza, Achilles, and many others. Then Watchfire, SPI Dynamics, Cenzic, Acunetix, and NTOBJECTives raised the bar with commercial products. Of course it was only a matter of time before enterprises demanded better manageability, scalability, and economic options as the tools weren’t getting the job done. Enter SaaS.

WhiteHat Security recognized this need and decided early on to go the SaaS-only route. There are millions of websites out there that need continuous VA and simply not enough web security experts to go around. This required us to build a technology platform capable of scanning the world’s largest websites (1MM+ links), lots of them all at the same time (thousands, tens of thousands, etc.), plus develop an efficient process to suppress false-positives, and most importantly leverage the technology to create a streamlined expert-driven methodology to complete comprehensive assessments. Clearly this is no small task and one that takes serious development time and expertise to achieve. So let’s get to the bottom of who’s got what and what they’re doing.

Network VA SaaS pioneer, Qualys, plans to offer web application scanning in Q1 of 08’ and hired a couple of bright people to build the technology. This places Qualys in a similar position to ScanAlert (HackerSafe) which also does SaaS network VA and at least some web application scanning. Then also IBM and HP completed acquisitions of Watchfire and SPI Dynamics respectively. Attacking from both sides, published reports and insiders say that both behemoths are setting their sights on website VA SaaS, while at the same time AppScan/WebInspect R&D will push the products towards developers and QA testers. Finally, Core Impact and eEye are adding web application penetration testing to their product as well.

All this points to market momentum and healthy competition, great for the consumer and practitioner. It’s all about capabilities though.

For those who don’t already know, scanning a network for vulnerabilities has very little to do technologically with websites or web application VA. This is a big reason why no one has successfully combined multiple VA solutions. Qualys has a nice infrastructure capable of scanning really big networks. However, they must start from scratch to build the technology capable of scanning websites for vulnerabilities. Plus, they enter an arena where others are entrenched with a several year technology head start. They’ll have some proving themselves to do. The same reasoning applies to Scan Alert and both companies are big players in the PCI ASV market.

IBM and HP have the opposite problem. They have the vulnerability scanning capability from the product acquisitions, but must build out big web application scanning and assessment infrastructures to go with it. Converting desktop products into a SaaS platform, which must be a little to like turning MS Outlook/Exchange into Gmail, takes time. Neither Qualys, IBM, nor HP possess the ability to scale the people and process portion to complete an assessment. That’ll mean huge false-positives and limited coverage for customers, at least initially. For IBM and HP at least, they’ll be able to compensate using a consultant behind the curtain with a scanner and call it SaaS. This will have to work long enough for them to nail a process down, just like all the scanner product guys have been doing for the last year or two.

Like I said, WhiteHat Security started early and built the three-piece trifecta: web application vulnerability technology, large scanning infrastructure, and an efficient expert-driven assessment process. What’s new is the mega corps surrounding us on all sides competing for the same dollars, but I really look forward the challenge as its good for the market. And on the industry outskirts are still other big names like Symantec, McAfee, VeriSign, PWC, etc. who have teams of webappsec VA consultants, but lay dormant on SaaS side. One thing I’ve learned over the years is that superior solutions don’t always ensure market share victory - these competitors could win deals based on name recognition alone. The next 12 to 18 months are going to be a lot of fun and highly interesting.

10 comments:

You mention that WhiteHat Security is ready to meet the challeneges on all fronts because they started early. I think this shows some really good forward thinking. As you mention, lots of companies are very unbalanced in both arenas: either in SaaS or in efficient and skilled technical personnel to take the automated assessment that step further.

For the companies that already have technical teams to conduct assessments, one possible approach is to build up an SaaS model which they can use to further upsell their consultancy services. The key here is to be able to build up their SaaS offering quickly to compete with the rest of the big boys. The only way I see this happening is for a little bit of 'creative borrowing' from the already existing VA scanning engines in the beginning while they're out to win market share. This calls into question ethics, copyright laws and a whole lot of other cans of worms I don't want to mention.

As you said, I am also of the opinion that the niche that is Saas will begin to be exploited by anyone who can in 2008 and fast. Its just a shame that it took this long for the industry to recognize the benefits of the model. In some geographic regions, the idea is not even heard of and is about as alien as can be. I will also watch from the sidelines with great interest.

Mimicking is one way consulting shops may compete, but I think another approach should be considered.

If SaaS plays out the way we think it will, the act of finding vulnerabilities in websites is going to be grunt work just like it already is in Network VA. And grunt work is not a poor use of a specialists time. Its better for the firm to seek partnerships they can leverage because here is what happens on the customer end.

SaaS vendor finds vulnerabilities, but due to the sheer size of the problem and complexity of the solutions, their going to need "high-end" help to develop a strategy moving forward. How can they develop a better SDLC to counteract the vulns they specifically have. Do they need a WAF? Which one, and how best to manager it. Are strong configuration baselines and training in order. Those areas are all much better served by a consultant rather than a pure SaaS.

So for myself, I see a nice symbiotic relationship should anyone decide to build towards that end.

However, as you've said before, app testing is never going to be as automated as network testing - there's things (like the "business logic" drum you've been pounding reciently, not to mention AuthN/AuthZ issues) that scanners just *wont* find because it's impossible for them to understand the app like a human would.

SaaS works really well in this instance, but IMHO, you will always need someone (trained monkey/employee or consultant/professional WAPT'er) to "go back in" and follow up on certain issues/test cases. Some type of holistic approach is really the only way of going and I think you guys at WhiteHat are (at the very least) on the right road.

Ahahah nice Mike. I only wish I could be more forthcoming coming on my thoughts about acquisitions and getting acquired. What I can say is that my daily work life has nothing to with getting bought and everything to do with building a great business. Beyond that, I must leave it to speculation. :)

As far as "the right way" to go about things, we're both are eye to eye there. The part I'm thinking my way through is that there simply isn't enough experienced humans to go around and do the work, even if there were unlimited budget dollars. I can certainly see a world where mass scanning-only is done for lack of a better option. If someone has a better idea, I'm all ears.

** Quote: "IBM and HP have the opposite problem. They have the vulnerability scanning capability from the product acquisitions, but must build out big web application scanning and assessment infrastructures to go with it."

This is so far from the truth, at least for IBM. Watchfire has been selling SaaS for several years now, even before the Sanctum acquisition. I think we've already talked about this in the past Jeremiah.

** Quote: "Converting desktop products into a SaaS platform, which must be a little to like turning MS Outlook/Exchange into Gmail, takes time. Neither Qualys, IBM, nor HP possess the ability to scale the people and process portion to complete an assessment."

1) There's no need to convert the desktop products to SaaS, that has already hapenned a few years ago.

2) Are you sure you are talking about the correct IBM and HP? are you seriously hinting that the largest software companies in the world can't execute on something a small company such as yours managed to pull off? Come on Jeremiah...

"This is so far from the truth, at least for IBM. Watchfire has been selling SaaS for several years now, even before the Sanctum acquisition."

Please be specific. What SaaS line are you referring to that Watchfire offered and was backed by a large vulnerability scanning platform? Before and/or after the acquisition.

And if this was the case, so I understand its actual scalability better - beyond just the theoretical. How many website was it actually scanning for vulnerabilities at the same time successfully?

"There's no need to convert the desktop products to SaaS".

Again, please be specific. Which product was converted to SaaS?

"are you seriously hinting that the largest software companies in the world can't execute on something a small company such as yours managed to pull off?"

Certainly not and I made no such claim. I'm saying IBM hasn't YET executed and start the process behind us. And in fact I'm counting on that IBM will follow because WhiteHat would enjoy the market competition. That being said, in the past smaller software companies have routinely out innovated larger competitors because their nimble. Though its not the only thing that matters to building a business.

Naturally, I can't disclose any technical information. Let me just say that I am confident in IBM's SaaS capabilities.

Quote: "That being said, in the past smaller software companies have routinely out innovated larger competitors because their nimble"

True, but - 1) I strongly believe (and know) that Sanctum/Watchfire/IBM has been innovating, and leading some of the scanning research in the past 10 years.

2) You have to remember, that in most cases, the tool that most people like to use, is not necessarily the most innovative one. It takes more than innovation to appeal to the general public. But yet again, see my #1.

"HackerSafe" is a complete joke, I've lost count of the sites I've seen with "HackerSafe" banners on them that had multiple major vulnerabilities.

I do know that Watchfire has been offering an online AppScan for at least a year or two but I've never used it or heard of anyone using it. I also don't know the details behind it. But, I remember the one time someone there actually talked about it in a webcast it came across to me (rightly or wrongly) like their interface was basically a web front end on cron which kicked off an AppScan session at the specified date/time against the specified webapp target.